{{- if not (eq (empty .Values.controlPlane.tls.general.caBundle) (empty .Values.controlPlane.tls.general.secretName)) }}
  {{ fail "You need to send both or neither of controlPlane.tls.general.caBundle and controlPlane.tls.general.secretName"}}
{{- end }}
{{- $caBundle := .Values.controlPlane.tls.general.caBundle }}
{{/*
Generate certificates
see: https://masterminds.github.io/sprig/crypto.html
see: https://medium.com/nuvo-group-tech/move-your-certs-to-helm-4f5f61338aca
see: https://github.com/networkservicemesh/networkservicemesh/blob/804ad5026bb5dbd285c220f15395fe25e46f5edb/deployments/helm/nsm/charts/admission-webhook/templates/admission-webhook-secret.tpl

We only autogenerate certs if user did not chose their own secret.
We only autogenerate certs if the cert is not yet generated. This way we keep the secrets between HELM upgrades.
*/}}

{{- if eq .Values.controlPlane.tls.general.secretName "" -}}
{{- $cert := "" }}
{{- $key := "" }}
{{- $secretName := print (include "kuma.name" .) "-tls-cert" }}

{{- $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) -}}
{{- if $secret -}}
  {{- $cert = index $secret.data "tls.crt" -}}
  {{- $key = index $secret.data "tls.key" -}}
  {{- $caBundle = index $secret.data "ca.crt" -}}
{{- else -}}
  {{- $commonName := (include "kuma.controlPlane.serviceName" .) -}}
  {{- $altNames := list (printf "%s.%s" $commonName .Release.Namespace) (printf "%s.%s.svc" $commonName .Release.Namespace) -}}
  {{- $certTTL := 3650 -}}
  {{- $ca := genCA "kuma-ca" $certTTL -}}

  {{- $genCert := genSignedCert $commonName nil $altNames $certTTL $ca -}}
  {{- $cert = $genCert.Cert | b64enc -}}
  {{- $key = $genCert.Key | b64enc -}}
  {{ $caBundle = $ca.Cert | b64enc }}
{{- end -}}
---
apiVersion: v1
kind: Secret
type: kubernetes.io/tls
metadata:
  name: {{ $secretName }}
  namespace: {{ .Release.Namespace }}
  labels: {{ include "kuma.cpLabels" . | nindent 4 }}
data:
  tls.crt: {{ $cert }}
  tls.key: {{ $key }}
  ca.crt: {{ $caBundle }}
{{- end }}
{{- if (eq .Values.controlPlane.environment "kubernetes") }}
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
  name: {{ include "kuma.name" . }}-admission-mutating-webhook-configuration
  namespace: {{ .Release.Namespace }}
  labels: {{ include "kuma.cpLabels" . | nindent 4 }}
webhooks:
  - name: mesh.defaulter.kuma-admission.kuma.io
    admissionReviewVersions: ["v1"]
    failurePolicy: Fail
    namespaceSelector:
      matchExpressions:
        - key: kubernetes.io/metadata.name
          operator: NotIn
          values: ["kube-system"]
    clientConfig:
      caBundle: {{ $caBundle }}
      service:
        namespace: {{ .Release.Namespace }}
        name: {{ include "kuma.controlPlane.serviceName" . }}
        path: /default-kuma-io-v1alpha1-mesh
    rules:
      - apiGroups:
          - kuma.io
        apiVersions:
          - v1alpha1
        operations:
          - CREATE
          - UPDATE
        resources:
          - meshes
        {{- range $policy, $v := .Values.plugins.policies }}
        {{- if $v }}
          - {{ $policy }}
        {{- end}}
        {{- end}}
    sideEffects: None
  - name: owner-reference.kuma-admission.kuma.io
    admissionReviewVersions: ["v1"]
    failurePolicy: Fail
    namespaceSelector:
      matchExpressions:
        - key: kubernetes.io/metadata.name
          operator: NotIn
          values: ["kube-system"]
    clientConfig:
      caBundle: {{ $caBundle }}
      service:
        namespace: {{ .Release.Namespace }}
        name: {{ include "kuma.controlPlane.serviceName" . }}
        path: /owner-reference-kuma-io-v1alpha1
    rules:
      - apiGroups:
          - kuma.io
        apiVersions:
          - v1alpha1
        operations:
          - CREATE
        resources:
          - circuitbreakers
          - externalservices
          - faultinjections
          - healthchecks
          - meshgateways
          - meshgatewayroutes
          - proxytemplates
          - ratelimits
          - retries
          - timeouts
          - trafficlogs
          - trafficpermissions
          - trafficroutes
          - traffictraces
          - virtualoutbounds
        {{- range $policy, $v := .Values.plugins.policies }}
        {{- if $v }}
          - {{ $policy }}
        {{- end}}
        {{- end}}
  {{ .Values.controlPlane.webhooks.ownerReference.additionalRules | nindent 6 }}
    sideEffects: None
  {{- if ne .Values.controlPlane.mode "global" }}
  - name: namespace-kuma-injector.kuma.io
    admissionReviewVersions: ["v1"]
    failurePolicy: {{ .Values.controlPlane.injectorFailurePolicy }}
    namespaceSelector:
      matchExpressions:
        - key: kubernetes.io/metadata.name
          operator: NotIn
          values: ["kube-system"]
        - key: kuma.io/sidecar-injection
          operator: In
          values: ["enabled", "true"]
    clientConfig:
      caBundle: {{ $caBundle }}
      service:
        namespace: {{ .Release.Namespace }}
        name: {{ include "kuma.controlPlane.serviceName" . }}
        path: /inject-sidecar
    rules:
      - apiGroups:
          - ""
        apiVersions:
          - v1
        operations:
          - CREATE
        resources:
          - pods
    sideEffects: None
  - name: pods-kuma-injector.kuma.io
    admissionReviewVersions: ["v1"]
    failurePolicy: {{ .Values.controlPlane.injectorFailurePolicy }}
    namespaceSelector:
      matchExpressions:
        - key: kubernetes.io/metadata.name
          operator: NotIn
          values: ["kube-system"]
    objectSelector:
      matchLabels:
        kuma.io/sidecar-injection: enabled
    clientConfig:
      caBundle: {{ $caBundle }}
      service:
        namespace: {{ .Release.Namespace }}
        name: {{ include "kuma.controlPlane.serviceName" . }}
        path: /inject-sidecar
    rules:
      - apiGroups:
          - ""
        apiVersions:
          - v1
        operations:
          - CREATE
        resources:
          - pods
    sideEffects: None
  {{- end }}
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: {{ include "kuma.name" . }}-validating-webhook-configuration
  namespace: {{ .Release.Namespace }}
  labels: {{ include "kuma.cpLabels" . | nindent 4 }}
webhooks:
  - name: validator.kuma-admission.kuma.io
    admissionReviewVersions: ["v1"]
    failurePolicy: Fail
    namespaceSelector:
      matchExpressions:
        - key: kubernetes.io/metadata.name
          operator: NotIn
          values: ["kube-system"]
    clientConfig:
      caBundle: {{ $caBundle }}
      service:
        namespace: {{ .Release.Namespace }}
        name: {{ include "kuma.controlPlane.serviceName" . }}
        path: /validate-kuma-io-v1alpha1
    rules:
      - apiGroups:
          - kuma.io
        apiVersions:
          - v1alpha1
        operations:
          - CREATE
          - UPDATE
          - DELETE
        resources:
          - circuitbreakers
          - dataplanes
          - externalservices
          - faultinjections
          - gatewayinstances
          - healthchecks
          - meshes
          - meshgateways
          - meshgatewayroutes
          - proxytemplates
          - ratelimits
          - retries
          - trafficlogs
          - trafficpermissions
          - trafficroutes
          - traffictraces
          - virtualoutbounds
          - zones
          - containerpatches
        {{- range $policy, $v := .Values.plugins.policies }}
        {{- if $v }}
          - {{ $policy }}
        {{- end}}
        {{- end}}
    {{ .Values.controlPlane.webhooks.validator.additionalRules | nindent 6 }}
    sideEffects: None
  {{- if ne .Values.controlPlane.mode "global" }}
  - name: service.validator.kuma-admission.kuma.io
    admissionReviewVersions: ["v1"]
    failurePolicy: Ignore
    namespaceSelector:
      matchExpressions:
        - key: kubernetes.io/metadata.name
          operator: NotIn
          values: ["kube-system"]
    clientConfig:
      caBundle: {{ $caBundle }}
      service:
        namespace: {{ .Release.Namespace }}
        name: {{ include "kuma.controlPlane.serviceName" . }}
        path: /validate-v1-service
    rules:
      - apiGroups:
          - ""
        apiVersions:
          - v1
        operations:
          - CREATE
          - UPDATE
        resources:
          - services
    sideEffects: None
  {{- end }}
  - name: secret.validator.kuma-admission.kuma.io
    admissionReviewVersions: ["v1"]
    namespaceSelector:
      matchLabels:
        kuma.io/system-namespace: "true"
    failurePolicy: Ignore
    clientConfig:
      caBundle: {{ $caBundle }}
      service:
        namespace: {{ .Release.Namespace }}
        name: {{ include "kuma.controlPlane.serviceName" .  }}
        path: /validate-v1-secret
    rules:
      - apiGroups:
          - ""
        apiVersions:
          - v1
        operations:
          - CREATE
          - UPDATE
          - DELETE
        resources:
          - secrets
    sideEffects: None
  - name: gateway.validator.kuma-admission.kuma.io
    admissionReviewVersions: ["v1"]
    failurePolicy: Ignore
    namespaceSelector:
      matchExpressions:
        - key: kubernetes.io/metadata.name
          operator: NotIn
          values: ["kube-system"]
    clientConfig:
      caBundle: {{ $caBundle }}
      service:
        namespace: {{ .Release.Namespace }}
        name: {{ include "kuma.controlPlane.serviceName" .  }}
        path: /validate-gatewayclass
    rules:
      - apiGroups:
          - "gateway.networking.k8s.io"
        apiVersions:
          - v1beta1
        operations:
          - CREATE
        resources:
          - gatewayclasses
    sideEffects: None
{{- end }}
